Multiple Vulnerabilities in Samsung SmartThings Hub

Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub. In accordance with their coordinated disclosure policy, Cisco Talos has worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers. These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.

Vulnerability Details

Samsung SmartThings Hub RTSP Password Command Injection Vulnerability (TALOS-2018-0539 / CVE-2018-3856)

The Samsung SmartThings Hub can be used to register, configure, and view the video stream from various IP cameras. The smart hub also provides users the ability to modify the camera’s password, which is then stored by `video-core` in an internal database. Accessing the camera’s video feed causes the camera to invoke the `ffmpeg` command using the `camera-password` parameter that is retrieved from this database. By including a space character in the camera password, an attacker could cause the `ffmpeg` binary to be launched with attacker-controlled command-line options. These options could be used to execute arbitrary system commands. TALOS-2018-0539 has been assigned CVE-2018-3856. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core samsungWifiScan Code Execution Vulnerability (TALOS-2018-0548 / CVE-2018-3863 – CVE-2018-3866)

Multiple buffer overflow vulnerabilities exist within the samsungWifiScan handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of an HTTP POST request to /samsungWifiScan. The values of the `user`, `password`, `cameraIp`, and `callbackUrl` keys can be used to trigger these vulnerabilities as this data is transferred to a destination buffer in memory using `strcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0548 has been assigned CVE-2018-3863 through CVE-2018-3866. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core samsungWifiScan Callback Code Execution Vulnerability (TALOS-2018-0549 / CVE-2018-3867)

An exploitable buffer overflow vulnerability exists within the Samsung WifiScan callback notification functionality present within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub incorrectly processing communications received from smart cameras during the smart camera discovery process. An attacker could host specially crafted HTTP contents using an HTTP server that could be used to trigger this vulnerability. During the smart camera registration process, the SmartThings Hub will attempt to retrieve these contents from the host specified. The retrieved contents are then transferred using `sprintf` without first checking the size of the destination buffer. This vulnerability could be exploited to execute arbitrary code. TALOS-2018-0549 has been assigned CVE-2018-3867. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials videoHostUrl Code Execution Vulnerability (TALOS-2018-0554 / CVE-2018-3872)

Multiple exploitable buffer overflow vulnerabilities exist within the `credentials` handler of `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP POST request to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The value of the `videoHostUrl` key can be used to trigger this vulnerability, as the data contained within this key is transferred to a destination buffer in memory without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0554 has been assigned CVE-2018-3872. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials Code Execution Vulnerability (TALOS-2018-0555 / CVE-2018-3873 – CVE-2018-3878)

Multiple exploitable buffer overflow vulnerabilities exist within the `credentials` handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP POST request to affected devices to exploit this vulnerability. These vulnerabilities manifest due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The values of the `secretKey`, `accessKey`, `sessionToken`, `bucket`, `directory`, and `region` keys can be used to trigger these vulnerabilities, as the data contained within those keys is transferred to a destination buffer in memory using `strncpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0555 has been assigned CVE-2018-3873 through CVE-2018-3878. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials Parsing SQL Injection Vulnerability (TALOS-2018-0556 / CVE-2018-3879)

A SQL injection vulnerability exists within the `credentials` handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The SmartThings Hub allows for the changing of credentials that the hub uses when connecting to other devices. This process includes an HTTP POST request containing JSON which is made up of all of the parameters required to change the credentials. This information is not properly sanitized prior to being stored in an internal SQLite database. By including JSON and SQL syntax within this request, it is possible to trigger a JSON injection that, in turn, triggers a SQL injection condition. TALOS-2018-0556 has been assigned CVE-2018-3879. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database find-by-cameraId Code Execution Vulnerability (TALOS-2018-0557 / CVE-2018-3880)

An exploitable buffer overflow vulnerability exists within the database ‘find-by-cameraId’ functionality present within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` process incorrectly handling records present within the SQLite database it uses. After first adding a camera to the ‘camera table’ of the SQLite database along with overly long camera information, an attacker can trigger this vulnerability by sending a specially crafted HTTP DELETE request specifying the camera that was previously added, causing an overflow condition.. This works due to a lack of restriction on the data that was pulled in during the database lookup for the camera. TALOS-2018-0557 has been assigned CVE-2018-3880. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core clips Code Execution Vulnerability (TALOS-2018-0570 / CVE-2018-3893 – CVE-2018-3897)

Multiple exploitable buffer overflow vulnerabilities exist within the `/cameras/XXXX/clips` handler present in the `video-core` HTTP server used by the Samsung SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to “/cameras/<camera-id>/clips.” The values of the ‘captureTime’, ‘startTime’, ‘endTime’, ‘correlationId’, and ‘callbackUrl’ keys can be used to trigger these vulnerabilities, as the data contained within those keys is transferred to a destination buffer using `strncpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0570 has been assigned CVE-2018-3893 through CVE-2018-3897. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera URL Replace Code Execution Vulnerability (TALOS-2018-0573 / CVE-2018-3902)

An exploitable buffer overflow vulnerability exists within the camera “replace” feature present within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of an HTTP PUT request to “/cameras/<camera-id>.” The value of the ‘url’ key can be used to trigger this vulnerability as the data contained within this key is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0573 has been assigned CVE-2018-3902. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera Update Code Execution Vulnerabilities (TALOS-2018-0574 / CVE-2018-3903 – CVE-2018-3904)

Multiple exploitable buffer overflow vulnerabilities exist within the camera “update” feature present within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of a PATCH request to “/cameras/<camera-id>.” The values of the ‘url’ or ‘state’ keys can be used to trigger these vulnerabilities as the data contained within these keys is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0574 has been assigned CVE-2018-3903 and CVE-2018-3904. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera Creation Code Execution Vulnerability (TALOS-2018-0575 / CVE-2018-3905)

An exploitable buffer overflow vulnerability exists within the camera “create” feature present within the `video-core` HTTP server used by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of a POST request to “/cameras.” The value of the “state” key can be used to trigger this vulnerability as the data contained within this key is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0575 has been assigned CVE-2018-3905. For additional information please see the advisory here.




Samsung SmartThings Hub video-core Database shard.videoHostURL Code Execution Vulnerability (TALOS-2018-0576 / CVE-2018-3906)

An exploitable stack-based buffer overflow vulnerability exists within the retrieval of a database field within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP request to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` HTTP server improperly extracting the “shard.videoHostURL” field from its SQLite database, causing a stack-based buffer overflow condition. To exploit this vulnerability, an attacker would need to modify the value of this field in the SQLite database. This could be accomplished by leveraging TALOS-2018-0556. TALOS-2018-0576 has been assigned CVE-2018-3906. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core REST Request Parser HTTP Pipelining Injection Vulnerabilities (TALOS-2018-0577 / CVE-2018-3907 – CVE-2018-3909)

Multiple exploitable vulnerabilities exist within the REST parser present within the `video-core` HTTP server. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings Hub incorrectly handling pipelined HTTP requests. These vulnerabilities could allow an attacker to overwrite the methods and contents of an HTTP request in order to insert malicious data for a variety of different reasons. These vulnerabilities could be leveraged along with other vulnerabilities to further maximize the attacker’s impact on affected devices. TALOS-2018-0577 has been assigned CVE-2018-3907 through CVE-2018-3909. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Port 39500 HTTP Header Injection Vulnerability (TALOS-2018-0578 / CVE-2018-3911)

An exploitable HTTP header injection vulnerability exists within the communications present between the Hub and the remote servers it communicates with. An attacker could send a specially crafted HTTP request to affected devices to exploit this vulnerability. This vulnerability is present within the JSON processing performed by the `hubCore` binary present within the SmartThings hub and could be combined with other vulnerabilities present within affected devices to achieve code execution. TALOS-2018-0578 has been assigned CVE-2018-3911. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database shard Code Execution Vulnerabilities (TALOS-2018-0581 / CVE-2018-3912 – CVE-2018-3917)

Multiple exploitable stack-based buffer overflow vulnerabilities exist within the retrieval of database fields within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the `video-core` HTTP server improperly extracting the contents of several fields from its SQLite database, causing a stack-based buffer overflow condition. To exploit these vulnerabilities, an attacker would need to modify the value of these fields within the SQLite database. This could be accomplished by leveraging TALOS-2018-0556. TALOS-2018-0581 has been assigned CVE-2018-3912 through CVE-2018-3917. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Port 39500 Sync Denial Of Service Vulnerability (TALOS-2018-0582 / CVE-2018-3918)

A vulnerability exists within the communications between the Samsung SmartThings Hub and the remote servers it communicates with. This vulnerability is present within the “sync” operation used to determine which cameras should be managed by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. Due to the lack of proper authentication, a remote attacker could leverage this trust relationship to delete cameras that should otherwise be managed by the SmartThings hub. TALOS-2018-0582 has been assigned CVE-2018-3918. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database clips Code Execution Vulnerability (TALOS-2018-0583 / CVE-2018-3919)

An exploitable stack-based buffer overflow vulnerability exists within the retrieval of database fields in the `video-core` HTTP server used by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` server not properly processing and extracting the fields from the “clips” table within its SQLite database. Leveraging TALOS-2018-0556, an attacker could arbitrarily insert a “captureTime” value within this table that exceeds the maximum size expected by the Hub, which results in a buffer overflow condition due to the lack of proper enforcement of this maximum size value. TALOS-2018-0583 has been assigned CVE-2018-3919. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core AWSELB Cookie Code Execution Vulnerability (TALOS-2018-0591 / CVE-2018-3925)

An exploitable buffer overflow vulnerability exists within the the remote video-host communication that is present within the `video-core` HTTP server used by the Samsung SmartThings Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` server not properly handling the contents of AWSELB cookies. The cookie value that is obtained from the remote video-host servers is copied to a destination buffer without first checking the length of the cookie value leading to a buffer overflow condition. TALOS-2018-0591 has been assigned CVE-2018-3925. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore ZigBee firmware update CRC16 check Denial of Service Vulnerability (TALOS-2018-0593 / CVE-2018-3926)

An exploitable integer underflow vulnerability exists within the ZigBee firmware update process present within the `hubCore` binary used by the SmartThings Hub. An attacker could create a specially crafted file present within the “data” directory used by this process to create an infinite loop that ultimately crashes the service. Due to a logic error present within the ZigBee firmware update process that takes place on the SmartThings Hub, an attacker could leverage TALOS-2018-0556 to upload a specially crafted file that causes the process to continuously loop until a crash occurs. TALOS-2018-0593 has been assigned CVE-2018-3926. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Google Breakpad backtrace.io information disclosure vulnerability (TALOS-2018-0594 / CVE-2018-3927)

An exploitable information disclosure vulnerability exists within the exception handler present within the `hubCore` binary used by the SmartThings Hub. The Hub currently leverages Google Breakpad for the purpose of creating minidumps in situations where a crash is encountered. After these minidumps are created by the Hub, they are transmitted to a remote service (backtrace.io) for analysis via the “curl” utility, which is configured to leverage the “-k” switch for this data transmission. This insecure switch allows curl to establish a connection with a remote server that responds with a self-signed SSL certificate. An attacker with the ability to impersonate the remote server could intercept this minidump using a self-signed certificate in order to extract sensitive process data. TALOS-2018-0594 has been assigned CVE-2018-3927. For additional information, please see the advisory here.

Further technical details avaliable here

Versions Tested

Talos has tested and confirmed that the following Samsung SmartThings Hub firmware versions are affected:

Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17

Resolution

Update firmware – details here